AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

First Time GIAC: Studying for the GCFE

Reading about SANS courses and GIAC certifications prior to this experience was a little overwhelming. Depending on dozens of factors, people that post online seem to have either a good or terrible experience. Forums say anything from “agonize over every word” to “passed without the class” with not enough background to quickly figure out what side of the spectrum you might be on. 

So, I’ll put that up front: In my current role, I am a Detective Sergeant with six years of experience with digital forensics work as my non-primary role. I have a Master of Science in Digital Forensic Science from Champlain College. I would not, by any means, consider myself an expert. Utilizing the LocalLaw50 discount, I paid for the course out of pocket, taking the course OnDemand and using both practice exams. In the end, I scored 90+% on the final exam. If that sounds like you, or a starting point you could work off of, feel free to keep reading for my experience with the GCFE.

My Experience with FOR500/GCFE

I took one full week of vacation to take the course. I had to take it OnDemand because I couldn’t fit my vacation schedule around the Live Online offerings. My plan was to watch the course material and index at the same time, but, that was out the window by Tuesday. I found that I was listening just to write things down rather than to learn the material. It just didn’t fit my study style though it definitely would have been a time saver. I did continue to follow along in the textbooks and completed all the video content on Thursday, doing the final challenge on Friday. I finished the course feeling like I’d drunk from a firehose. I’d learned so much but so very fast and I knew I hadn’t caught it all on the first run.

My Index Method

My method for the index was a mashup of many of the methods I could find online. Primarily, I mirrored Andrew Rathbun’s long form method and borrowed elements from others. My idea was that I hoped if I forgot a thing, I could quickly reference it (or reinforce what I thought) using my index and not have to open the book. But, if I had to open my book, I wanted to be able to confidently flip to the right section of the book to start my search. Just making this document and summarizing things in my own words was a phenomenal form of studying. 
I used Google Sheets. I had one sheet for each book, an overall table of contents, acronyms page, and tools page. Before each test/exam, I would take all of these pages, copy their contents, and paste them into one long sheet and sort them alphabetically. 
My headers for each sheet were Book Number, Page Number, Topic, and Notes. Topics were anything from artifacts to tools to concepts. Notes included definitions, locations on disk, additional pages, related terms, and whatever I thought may have a question or may be useful to me after the course was complete. 
I also color coordinated my index, but not by book or section as some have done. I did it by type of entry. For example, tools were green. Main entries for a topic were yellow. Images or graphics on pages were red. Acronyms or defined words were blue. This meant when I was looking for a concept in the final version of all the books smashed together, I could look for the yellow cell to find the “main” entry and then go from there. Since I sorted everything alphabetically, “main” was not always alphabetically the top. Ex: “Topic” and “Topic – Subtopic” will sort the subtopic first.

An example of my index:

Practice Test #1

Once the video part of the course was complete, I took the weekend and finished a rough draft of my index by paging through the books and writing down the obvious stuff from each page/slide.

I took Practice Test #1 on Sunday. I used 0 skips and finished 45 minutes early and, honestly, it was all a blur. When researching the certifications, I had read so many things saying that people got really close on time or they looked up and had to just put something for the last 10 questions that I rushed a lot more than I should have. My first practice test score was an 86%. 

I intended to take another week to refine my index before practice test #2. Ending up busier than expected at work and home, I pushed it back from the following Sunday to the following Friday. This meant I was effectively a week “behind” my plan, so I penciled in my next practice test for that Friday and immediately scheduled my final exam for four days later. No backing out, no delays, I was getting it done. The extra days also gave me time to review 13Cubed’s Intro to Windows Forensics playlist on YouTube and include some additional notes/clarification into my index. I also gave the MP3’s a go for the sections I had scored lower on. 

Practice Test #2

On Practice Test #2, I went in with every page in every book reviewed and highlighted. I finished with only 15 minutes left and used many of my skips. I scored 92%. At this point, I recognized that I wasn’t necessarily wording entries the way I would search for them under stress so my searches were taking longer just to find the right entry in my index. The answers were all there, I just couldn’t find them quickly. Ex: “Email – Exchange” or “Exchange – Email”. I also didn’t print my table of contents page for all the books and recognized that I was probably leaving some answers to chance when I could have confirmed them by just finding the right section. I made further edits to my index over the weekend and added index entries for the SANS posters and cheat sheets so I could quickly reference them as well. The last thing I added was copying the textbook provided index into my overall index. This meant that some things, like LNK files, had multiple entries between the book’s index, the posters, the cheat sheets, and the book entries I’d made. I ended up going through and cleaning out the entries that weren’t super useful or were duplicated with less information (ex: book index is just book:page with no context so my entries were more useful for me). By simply reviewing all this material, more information fell into place for me.

Final Exam

For the final exam, I printed both the complete index alphabetically and the book-by-book version of the index. I referred to the book-by-book version only once but I’m glad I had it. It provided further context to each entry and was 0% more effort. Since my alphabetically sorted index ended up 50 pages and approximately 1,500 entries with the duplications, I ended up alphabet tabbing it. I also included my separate table of contents, tools, acronyms, and cheat sheets/posters. This all easily fit, sleeved, in a 1” binder. Perhaps it was a bit of test anxiety, but I again finished significantly ahead of the time (approx. 49 minutes early) but scored 92%. There was a small batch of questions that I struggled with. Looking back, I was just so hyper focused on one word that I looked in all the wrong places. In the end, I’m happy with this result. I may have scored a bit higher if I had given it another week or two but it probably would have been an example of the law of diminishing returns. For any future courses, I suspect I’ll stick to the same method and be glad I know what I’m getting into from the jump.

Exam Format/ProctorU

I used the ProctorU system for proctoring my exam and took it from home. To avoid any delays, I removed my extra monitors completely from the machine and put them outside the room. I also completely reformatted the computer to avoid interfering programs. My webcam didn’t like focusing on my IDs so I had to use my phone camera and then stash the phone on a shelf behind me. Overall, it was a genuinely painless experience.

I found that the actual exam format was unique from other experiences I’ve had. I’m used to exams where the questions can be answered out of order and skips can be answered willy-nilly throughout the exam. This format is very sequential. Once an answer is submitted, that’s the last you’ll see that question, onward and onward until the exam is done. Similarly, if you skip 5 questions, you have to answer all 5 in a row when you go back to your skips. This means if you stumble across a helpful answer while answering another question, you either have to remember it until the end or commit to answering all of your skips. Exposure to the practice exams will help in adjusting to these features. 

Summary to recreate my method: 

  • Buy a 1” binder, page tabs, and page sleeves.
  • Read and highlight every page in every book, including workbooks, cheat sheets, and posters.
  • Make a long form index with, sometimes lengthy, entries straight from the text – include the 5 W’s, if available.
  • Use Sheets and put all entries for each book on their own sheet.
  • Before each exam, combine all entries into one sheet and sort alphabetically.
  • Color code entries by Main entry, Tools, Definitions, Graphics, etc. 
  • Duplicate entries that you know you may not search in exact matching context – Ex: “USB – setupapi” and “setupapi – USB”.
  • Index the posters and cheat sheets if you’re not familiar.
  • Make a “Table of Contents” with the section headers for all the books.
  • Use your skips! If you don’t know the answer within the first scan of your index, skip it.


My Take on Preparing for GIAC Certification Exams
Better GIAC Testing with Pancakes
How To Build a SANS GIAC Index
Making A GIAC Exam Index
Voltaire (even though I didn’t use it, I admire the project!)

Related Posts